Add server-only to package to api-config

[sarah-inkeep]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ce8763f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
agents-docs	Ready	Preview	Comment	Dec 11, 2025 1:02am
agents-manage-api	Ready	Preview	Comment	Dec 11, 2025 1:02am
agents-manage-ui	Ready	Preview	Comment	Dec 11, 2025 1:02am
agents-run-api	Ready	Preview	Comment	Dec 11, 2025 1:02am

[claude]

Claude finished @sarah-inkeep's task —— View job

---

PR Review: Add server-only to package to api-config

Todo List:

• Analyze all changed files to understand server-only implementation
• Review code quality and architectural decisions
• Check for consistency with existing patterns
• Evaluate potential side effects and customer impact
• Provide comprehensive feedback and recommendations

---

Summary

This PR implements server-side execution safety by adding the server-only package and reorganizing imports to ensure server-side code cannot accidentally execute on the client. The changes are well-intentioned but reveal some architectural opportunities for improvement.

Key Changes Analysis

✅ Positive Changes

1. Added server-only package - Good practice for Next.js apps to prevent server code from bundling on client
2. Added explicit 'use server' directives - Makes server-side execution intent clear
3. Centralized ApiError import - Consolidates error handling imports from a single location
4. Minor UX improvement - Added autoComplete="on" to password field

🔍 Areas for Consideration

1. Inconsistent Server-Only Protection - Medium Priority

• Only api-config.ts has the import 'server-only' protection
• Other server-side modules like agent-full-client.ts, project-full.ts contain sensitive server logic but lack this protection
• Recommendation: Add import 'server-only'; to all server-side API client files for consistency

// These files should also have server-only protection:
// - src/lib/api/agent-full-client.ts
// - src/lib/api/project-full.ts  
// - All other server action files that access sensitive APIs

2. Architecture Pattern Inconsistency - Low-Medium Priority

• ApiError exports were moved inconsistently - some files export it, others import it separately
• The pattern in lib/index.ts shows ApiError is intended as a public API export
• Suggestion: Consider whether ApiError should be consistently exported from API clients or always imported from types/errors

3. Missing Documentation - Low Priority

• No changeset was added (flagged by changeset-bot)
• The server-only addition affects the public API surface but lacks changelog documentation
• Recommendation: Add a changeset explaining the security improvement

4. Test Coverage Concerns - Low Priority

• Import reorganization in test files could affect mock behavior
• The test changes look correct but warrant verification that mocking still works as expected

Security & Performance Assessment

✅ Security Improvements

• Prevents accidental client-side bundling of server-only code
• Reduces attack surface by keeping API configuration server-side only
• Cookie handling logic properly isolated to server context

✅ No Performance Impact

• Changes are build-time optimizations
• No runtime performance implications
• Bundle size should decrease slightly (server code excluded from client bundle)

System Design Considerations

1. Evolvability ✅

• Changes maintain backward compatibility
• Import reorganization creates cleaner separation of concerns
• Server/client boundaries are now more explicit

2. Consistency with Existing Patterns ⚠️

• Most server action files already use 'use server' (good!)
• However, server-only protection is only applied to one file
• Recommendation: Audit all server-side API files and apply consistent protection

3. Future-Proofing ✅

• Server-only pattern scales well for additional API modules
• Clear separation supports future modularization

Recommendations

High Priority

1. Add server-only protection consistently across all server-side API modules
2. Verify test coverage - ensure import changes don't break existing tests

Medium Priority

3. Add changeset for proper version tracking
4. Consider documenting the server/client boundary pattern in code comments or team docs

Low Priority

5. Consider whether ApiError export pattern should be standardized across the codebase

Customer Impact Assessment

✅ No Breaking Changes

• All public APIs remain unchanged
• Import paths for ApiError are maintained in public exports
• No impact on existing integrations

✅ Improved Developer Experience

• Clear build-time errors if server code is accidentally imported client-side
• More explicit server/client boundaries aid debugging

Code Quality Assessment

The implementation follows Next.js best practices and the code quality is solid. The import reorganization improves separation of concerns. The only concerns are consistency gaps that could be addressed in follow-up work or this PR.

Verdict

APPROVE with minor recommendations. This is a solid security and architecture improvement that follows Next.js best practices. The inconsistencies noted are minor and don't block the core improvement. The changeset can be added as a follow-up if needed.

---